Facebook, the top-ranking free app in Google Play, has taken advantage of Android's weak platform security to collect users' phone numbers as soon as the app is installed, highlighting core differences in Apple's approach to protecting users' privacy and those of social-advertising firms like Facebook and Google.

The news of Facebook's latest "leak" was outed by Symantec after it analyzed various Android apps using its Norton Mobile Insight tool designed to "discover malicious applications, privacy risks, and potentially intrusive behavior."

Symantec didn't need to dig deep into Google Play to find pay dirt, but its researchers still noted that it "even surprised us when we reviewed the most popular applications exhibiting privacy leaks."

The firm stated, "the first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen.""Unfortunately, the Facebook application is not the only application leaking private data or even the worst" - Symantec

Just one week ago, Facebook users found that it was possible to download private information from people who had "some connection to them," even when that data had not been intentionally shared with Facebook. That illuminated the company's efforts to secretly collect all kinds of data in its social graph to improve its advertising and friend recommendations, beyond the details intentionally shared by members.

Because the various versions of Android have no coherent security policy regarding the sharing of personal data without the user's permission, Facebook's "automatic sharing" in its Android app affects everyone, even iOS users with Android friends.

Symantec said it "reached out" to Facebook, which it said "investigated the issue and will provide a fix in their next Facebook for Android release." Facebook denied that it was collecting the data for actual use and stated that it had deleted the information from its servers.

"Unfortunately, the Facebook application is not the only application leaking private data or even the worst," Symantec noted. "We will continue to post information about risky applications to this blog in the upcoming weeks." In the mean time, the firm recommends that Android users download its tool to see which Android apps are "leaking" private information.

Apple's Walled Garden

Apple's "walled garden" approach to its mobile platform has long erected barriers for app developers, forcing them to request permission before collecting the user's location data, well before anyone anticipated that developers would broadly harvest location data.

Last year, Apple's iOS 6 similarly began to block unauthorized access to Contacts after Path was found to be unloading users' address books without asking. One year later, 96 percent of iOS users are on the latest version and protected by the security enhancement.

Due to fragmentation on even new Android phones, Google's platform can't be similarly secured even if it were in Google's interests to stop app developers from sharing users' private data for advertising and social recommendation purposes.

Apple's app model on iOS has always blocked third party apps from collecting data from other apps or reading other apps' files that aren't expressly accessed by the user. The company has also worked to protect users' privacy when browsing, turning off injected cookie tracking by default in Safari.

That practice has stymied the efforts of advertising networks to build dynamic Facebook-style dossiers on individuals for ad tracking and behavior purposes, something that bothered Google so much that it simply ignored the security settings to collect data for ads and Google+, eventually resulting in the largest fine in FTC history.

Corporations' end run around Constitutional rights

Recent leaks describing corporate cooperation with government requests for private information have highlighted how businesses that collect large amounts of data for marketing, social graph or other purposes are effectively creating huge repositories for governments to tap into, often with minimal oversight in place to prevent abuses.

Public concerns about the U.S. government's spying programs have reached a fevered pitch so high that Ars recently launched an investigation into whether Apple's iMessage, an encrypted enhancement that provides far more security than plain text SMS messages, could potentially be "spied upon" by Apple itself, something the company has said it simply does not do.

"Apple has always placed a priority on protecting our customers? personal data" the company had stated earlier, "and we don?t collect or maintain a mountain of personal details about our customers in the first place. There are certain categories of information which we do not provide to law enforcement or any other group because we choose not to retain it."

No comment was made in the article about the complete lack of messaging security on other mobile platforms where SMS messaging isn't encrypted at all, including Android and Windows Mobile.

Encryption does appear to be having an impact on government efforts to police via wiretaps however. A report this week by David Kravets of Wired cited a document by the U.S. Administrative Office of the Courts which noted:"the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

"Encryption was reported for 15 wiretaps in 2012 and for 7 wiretaps conducted during previous years. In four of these wiretaps, officials were unable to decipher the plain text of the messages. This is the first time that jurisdictions have reported that encryption prevented officials from obtaining the plain text of the communications since the AO began collecting encryption data in 2001."

Kravets wrote that "the encryption numbers begin to highlight the government?s stated fear, and its propaganda railing against encryption ? which is a standard feature on today?s Apple computers."

He also pointed out that "97 percent of the wiretaps issued last year were for 'portable devices' such as mobile phones and pagers," and "about 87 percent of the wiretaps were issued in drug-related cases."

This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android. iOS has had its own cases of FUBARs in this exact type of thing as well.

The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.

Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.

The thing is, "functionality" like this doesn't happen by accident. It doesn't get programmed without absolute and clear intent.

So, Facebook covering and backpedaling by "investigating" and claiming they've deleted all the gathered data is hooey. just like there's no-one checking to see how egregious these apps behave, there's also no-one checking the veracity of those claims. Just saying they have doesn't mean they have.

If someone actually had a way to check it, they'd no doubt find something, and all FB would have to do then is walk it back by saying something like, "oh, we overlooked a few, we'll take care of that right away"%u2026

By then, the data has been resold and redistributed widely. Nothing to be done about it by then%u2026

Yet another event reinforcing my decision to remove all my 'data' from FB 18 months ago, logout, and to never look back.

Privacy and social networks are opposing concepts. But I have to agree that merely installing an app shouldn't cause you to surrender your contact list. It's onerous. I'm sure Facebook worked it into their terms and conditions of use, so it's not like you can do anything about it, except not use Android.

Mostly agree, except for the solution (which I also agree with in principle, but…).

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

This is mostly a non-story in relationship to iOS strengths VS weaknesses compared to Android. iOS has had its own cases of FUBARs in this exact type of thing as well.

The sad state is many applications use various frameworks with minimal testing going on as to what the frameworks do. Many of these are designed for analytics and, if you don't really do your homework, you can get caught with these things. This is not to excuse the behavior but iOS and Android are equally guilty with or without the fragmentation issues.

They're not "equally guilty." Android is far MORE guilty.

The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

The fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

I don't get it, if you're an Android user you're already sharing your contacts with Google. Sharing them with Facebook too is no more or less of a privacy violation at that point, so what's the problem?

I went to install the FB app on my android phone once until I saw all the unnecessary permissions it wanted. I decided to instead use FB thru the Chrome browser. I don't really care if FB has my number, but they can't have full access to my phone.

Mostly agree, except for the solution (which I also agree with in principle, but…).

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

You are correct, that is a valid option.

However, IF (1) users don't agree to the terms and conditions of use until they first use (launch) the app, and (2) the app harvests your data when you install it, (as the poorly-worded article states), but before you can consent to the terms and conditions of use, then Facebook is wrong.

I wouldn't bee too sure even about the Apple Facebook implementation, I had students I work with in my lab suggested for "friending" when I've deliberately never put in my employment or university affiliation. EVER and they have zero association with anyone I had listed as friends. Maybe they're suggesting people that run off the same WiFi network? As would be the case in the lab....

Funny how some posters are denying that this is screwed up....
Facebook intentionally is hiding accessing contacts and getting numbers with out permission.
No that is not a problem... It is ok... While they are at it why dont they try to access all your pass codes to banks and all.
Android is not secure and Facebook took advantage of that and the enduser is compromised!
On the other hand they were not able to pull that off on ios ....
If u dont see the difference.. ..... Well as the say " there is no cure for ....."

I'm tired of companies trying to get off when caught by claiming they have "deleted the information from its servers" because I bet dollars to donuts ALL that information is still contained in every single database backup they've made, and when those backups get restored or reused to populate a bid-data server for analysis, all that data that they have "deleted" is right there.

… ..e fact that iOS hasn't always been 100% perfect doesn't change that it's far better. That's like saying a vitamin tablet is equally as bad for you as a poison pill, because someone once choked on a vitamin tablet.

For instance: Facebook couldn't do this on iOS.

Really? Did you write code for Facebook for Android that you speak with such authority? If yes then...

Funny how some posters are denying that this is screwed up....
Facebook intentionally is hiding accessing contacts and getting numbers with out permission.
No that is not a problem... It is ok... While they are at it why dont they try to access all your pass codes to banks and all.
Android is not secure and Facebook took advantage of that and the enduser is compromised!
On the other hand they were not able to pull that off on ios ....
If u dont see the difference.. ..... Well as the say " there is no cure for ....."

I guess you failed to check out link in post #15. Please do your homework before you shut yourself in the foot, will you?

Really? You're citing Gizmodo as a reliable source? They've had a massive chip on their shoulder ever since the iPhone 4 incident. They bash Apple at the drop of hat. Not saying it may not be happening with iOS too, but Gizmodo's not what I would call impartial and objective.

I'm seriously concerned about the emerging information economy. The longer practices like this are in place the more they are normalised, and and it becomes increasingly difficult to claw back. Currently we have software demanding carte blanch access to user information, even information that is not relevant to the provision of the service.

If companies exist to create profit we can't expect them to be more ethical than the framework we set for them. Regardless of whether they want t, in order to remain competitive they have to play this game. The responsibility to legislate a minimum acceptable standard falls to us.

The only thing software should demand from a user in order to function is a cash fee. It has no right to hold us to ransom over a real name, contact information or anything else (if the user declines).

Facebook intentionally is hiding accessing contacts and getting numbers with out permission.

They're not hiding it. Here's the list of permissions that you are presented with and have to allow the FB app in order to install it. BTW, a list this long is relatively unheard of for an android app.

Permissions

This application has access to the following:

Your accounts

create accounts and set passwords

Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords.

add or remove accounts

Allows the app to perform operations like adding and removing accounts, and deleting their password.

Your location

approximate location (network-based)

Allows the app to get your approximate location. This location is derived by location services using network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine approximately where you are.

precise location (GPS and network-based)

Allows the app to get your precise location using the Global Positioning System (GPS) or network location sources such as cell towers and Wi-Fi. These location services must be turned on and available to your device for the app to use them. Apps may use this to determine where you are, and may consume additional battery power.

Network communication

full network access

Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet.

Phone calls

directly call phone numbers

Allows the app to call phone numbers without your intervention. This may result in unexpected charges or calls. Note that this doesn't allow the app to call emergency numbers. Malicious apps may cost you money by making calls without your confirmation.

read phone status and identity

Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call.

Storage

modify or delete the contents of your USB storage

Allows the app to write to the USB storage.

System tools

install shortcuts

Allows an app to add shortcuts without user intervention.

read battery statistics

Allows an application to read the current low-level battery use data. May allow the application to find out detailed information about which apps you use.

Your applications information

retrieve running apps

Allows the app to retrieve information about currently and recently running tasks. This may allow the app to discover information about which applications are used on the device.

Camera

take pictures and videos

Allows the app to take pictures and videos with the camera. This permission allows the app to use the camera at any time without your confirmation.

Other Application UI

draw over other apps

Allows the app to draw on top of other applications or parts of the user interface. They may interfere with your use of the interface in any application, or change what you think you are seeing in other applications.

Microphone

record audio

record audio

Your social information

write call log

Allows the app to modify your device's call log, including data about incoming and outgoing calls. Malicious apps may use this to erase or modify your call log.

read your contacts

Allows the app to read data about your contacts stored on your device, including the frequency with which you've called, emailed, or communicated in other ways with specific individuals. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge.

modify your contacts

Allows the app to modify the data about your contacts stored on your device, including the frequency with which you've called, emailed, or communicated in other ways with specific contacts. This permission allows apps to delete contact data.

They're not hiding it. Here's the list of permissions that you are presented with and have to allow the FB app in order to install it. BTW, a list this long is relatively unheard of for an android app.

[snip]

I don't use FB, and have no interest in doing so. But can someone, anyone explain to me why 90% of this stuff would be necessary for a FB app?

Mostly agree, except for the solution (which I also agree with in principle, but…).

You could just not install the FB app for Android. Or any others like it. Not much left to do with Android after that I'm guessing, but hey...

I just log into FB through Chrome. The permissions required are clearly listed before the app is installed. Not all developers are this invasive, and there's a plethora of apps which are much more privacy friendly. So, I guess your guess is not very accurate.

I don't use FB, and have no interest in doing so. But can someone, anyone explain to me why 90% of this stuff would be necessary for a FB app?

It's not necessary, FB just wants user data and knows that there's a lot of dumb people out there that will not pay attention to the massive list of required permissions. As evidenced by the few responses here, it is clear though that many of us know better and actively avoid these invasive apps.

It's not necessary, FB just wants user data and knows that there's a lot of dumb people out there that will not pay attention to the massive list of required permissions. As evidenced by the few responses here, it is clear though that many of us know better and actively avoid these invasive apps.

Basically what I thought, but wanted to know if I missed anything. Heh.

Article is the equivalent of an Apple fanboy sticking his tongue out at Android fanboys. classy.

Actually it's not. It tells me that even if I chose to use iOS to protect my privacy because I prefer it's security options that doesn't exempt me from stories like this. I'm not in control of some of my data when my best Android using friends have my phone number, personal email address, my physical address, etc. in their contacts and then they run something like this Facebook app. Data I've taken extra steps to keep out of Facebook's grubby hands has now possibly been uploaded to their great big private info vacuum in the clouds. Frankly that pisses me off.
"Don't ask for whom the bell tolls … it tolls for thee!" It not about iOS vs Android - when crap like this happens we're all compromised and it has to stop.